Please could you update selinux-policy package and try it again?
I tried reproduce it and I cannot see your issue.
On 07/29/2015 10:01 AM, Robin Lee Powell wrote:
rlpowell@jukni> rpm -q selinux-policy
selinux-policy-3.13.1-128.1.fc22.noarch
rlpowell@jukni> rpm -q policycoreutils
policycoreutils-2.3-16.fc22.x86_64
rlpowell@jukni>
On Wed, Jul 29, 2015 at 09:59:43AM +0200, Lukas Vrabec wrote:
> Hi Robin,
> Could you attach output of:
> $ rpm -q selinux-policy
> $ rpm -q policycoreutils
>
> Thank you!
>
> On 07/29/2015 09:03 AM, Robin Lee Powell wrote:
>> On Tue, Jul 28, 2015 at 12:07:51AM -0700, Robin Lee Powell wrote:
>>> On Mon, Jul 27, 2015 at 08:29:29PM -0700, Robin Lee Powell wrote:
>>>> On Mon, Jul 27, 2015 at 07:45:11PM -0400, Simon Sekidde wrote:
>>>>> ----- Original Message -----
>>>>>> From: "Robin Lee Powell"
<rlpowell(a)digitalkingdom.org>
>>>>>> To: selinux(a)lists.fedoraproject.org
>>>>>> Sent: Monday, July 27, 2015 6:05:51 PM
>>>>>> Subject: Conflict between local module and local fcontext
>>>>>>
>>>>>>
>>>>>> So I have a custom module that includes:
>>>>>>
>>>>>> type lojban_logger_t;
>>>>>> type lojban_logger_exec_t;
>>>>>>
>>>>>> application_domain( lojban_logger_t, lojban_logger_exec_t)
>>>>>> init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
>>>>>>
>>>>>> (not sure if those are redundant?) and:
>>>>>>
>>>>>> /srv/lojban/irclogs(/.*)?
system_u:object_r:lojban_logger_t:s0
>>>>>>
>>>>>> I've made a variety of changes with "semodule
fcontext", including:
>>>>>>
>>>>>> /srv/lojban system_u:object_r:httpd_user_content_t:s0
>>>>>> /srv/lojban(/.*)?
system_u:object_r:httpd_user_content_t:s0
>>>>>>
>>>>>> As a result, the changes in my module are ignored, and the files
>>>>>> end up with httpd_user_content_t
>>>>>>
>>>>>> So I tried:
>>>>>>
>>>>>> $ sudo semanage fcontext -a -t lojban_logger_t
'/srv/lojban/irclogs(/.*)?'
>>>>>> ValueError: Type lojban_logger_t is invalid, must be a file or
device type
>>>>>>
>>>>>> Uhh.
>>>>>>
>>>>>> I guess this means that the custom module's types can't
be seen by
>>>>>> semanage?
>>>>>>
>>>>>> So, what's the correct solution here?
>>>>>>
>>>>> 1) Define a new type that is usable for log files in the .te
>>>>>
>>>>> type logjban_logger_log_t;
>>>>> logging_log_type(logjban_logger_log_t)
>>>>>
>>>>> 2) Add this label to the path in the .fc
>>>>>
>>>>> /srv/lojban/irclogs(/.*)?
system_u:object_r:logjban_logger_log_t:s0
>>>> Unless I'm missing something, this won't help at all; the
semanage
>>>> fcontext rule will win, and they'll end up with httpd_user_content_t
>>>> per the rule for /srv/lojban(/.*)? , because semanage fcontext rules
>>>> *always* win over module rules.
>>> Ah, I see what you're saying; that way at least I'd *have* a file
>>> type, that I could then add with semanage. I'll try that, thanks.
>> So I did that, and now:
>>
>> rlpowell@jukni> sudo semanage fcontext -a -t lojban_logger_logs_t
'/srv/lojban/irclogs(/.*)?'
>> libsemanage.dbase_llist_query: could not query record value (No such file or
directory).
>> OSError: No such file or directory
>> rlpowell@jukni>
>>
>> Here's the policy:
>>
>> policy_module(MYLOCAL_lojbanlogger, 1.6.0)
>> ########################################
>> #
>> # Declarations
>> #
>> type lojban_logger_t;
>> type lojban_logger_logs_t;
>> type lojban_logger_exec_t;
>> gen_require(`
>> type httpd_t;
>> type setfiles_t;
>> type unconfined_t;
>> type staff_t;
>> ')
>> #============= lojban_logger_t ==============
>> manage_dirs_pattern( lojban_logger_t, lojban_logger_logs_t,
lojban_logger_logs_t)
>> manage_files_pattern( lojban_logger_t, lojban_logger_logs_t,
lojban_logger_logs_t)
>> # Be a file type and a domain
>> application_domain( lojban_logger_t, lojban_logger_exec_t )
>> # File type
>> logging_log_file(lojban_logger_logs_t)
>> # Be an init/systemd daemon
>> init_daemon_domain(lojban_logger_t, lojban_logger_exec_t)
>> # connect to ircd
>> corenet_tcp_connect_ircd_port(lojban_logger_t)
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
> --
> Lukas Vrabec
> SELinux Solutions
> Red Hat, Inc.
>
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux